What Is Cryptojacking? How to Protect Yourself Against Crypto Mining Malware

While most crypto hacks involve stealing private keys belonging to a crypto wallet and emptying it, cryptojacking involves infecting a device with malware to gain control over it. Here’s how you can protect yourself.

AccessTimeIconMar 22, 2022 at 12:15 p.m. UTC
Updated Apr 10, 2024 at 3:05 a.m. UTC
Layer 2

Crypto hacks and scams come in many shapes. Some hackers directly break into wallets and steal money, others promise love to cheat you out of your coins, and some are so sneaky you rarely even notice your device has been compromised.

Cryptojacking falls into the latter category.

Cryptojacking is a type of cyberattack in which hackers exploit a device’s computing power without the owner’s authorization and use it to mine cryptocurrency. It became a widespread problem during the 2017 crypto boom as bitcoin and other cryptocurrencies' prices skyrocketed, making crypto mining a highly profitable business.

This explainer is part of CoinDesk's Mining Week series.

At one point, cryptojacking was the sixth most common malware globally, according to a report by Check Point Software, a Tel Aviv, Israel-based cybersecurity firm.

Lately, cryptojacking is having a renaissance. Google’s cybersecurity action team wrote in a report that 86% of all the compromised Google Cloud accounts were harnessed to mine cryptocurrencies.

It’s not just individuals that are targeted: Companies and public utilities are falling victim to cryptojacking, too. For example, Tesla was hit by cryptojacking malware that infected the automaker’s cloud and used the processing power to mine crypto in the background.

In early 2018, U.K. government websites and more than 4,000 others worldwide were exploited by cryptojacking viruses.

What is cryptojacking?

Think about cryptojacking like a parasite that sucks a computer's energy in secret. It’s delivered in the form of malicious software (malware) that infects your devices in order to use it for cryptocurrency mining. The target can be any device: computer, smartphone, even cloud servers – the latter is called cloud jacking.

The motive, unsurprisingly, is to make money. When a device is infected with cryptojacking malware, it takes control over the device’s computing power and channels a part of it to mine certain cryptocurrencies. Then, it sends any mined coins to the hacker’s wallet

There was a time when websites experimented with mining crypto using their visitors’ computers for extra revenue. This is called browser mining and it uses a simple web browser plugin that mines coins while you are on the website.

It is important to point out that unlike cryptojacking, browser mining is not a cybercrime. The big difference is whether the user is aware and gives consent to let the website use the device for cryptocurrency mining purposes. If it happens without authorization, then it is considered cryptojacking and a criminal act.

Some heralded browser mining as a new business model to monetize web traffic. Reputable digital news sites such as Salon and less reputable but much more popular site The Pirate Bay experimented with authorized “cryptojacking” as a complementary income stream. Even the United Nations Children's Fund (UNICEF) used it in 2018 to harness supporters' computers to raise donations via cryptocurrency mining.

For a while, there was an entire service built on this. CoinHive provided lines of code that let webpages use their visitors’ devices to mine Monero, a privacy-focused cryptocurrency.

Unsurprisingly, it did not take much time before it was used improperly. Webpages started to abuse the service to make extra revenue from visitors without their consent.

In fact, cryptojacking became so widespread that CoinHive came under significant scrutiny and was eventually forced to shut down in 2019.

How does cryptojacking work?

The reason cryptojacking is so prevalent is that the entry barrier is low and very profitable for hackers. Hackers only need a few lines of JavaScript code to sneak into a device that later will run the mining malware surreptitiously in the background.

Hackers may bait the user into clicking on a phishing email link to upload the malicious code onto their device.

Another possibility is to infect a website with a cryptojacking command line embedded in the HTML code that runs the program automatically once the user opens a specific webpage.

Some versions of cryptojacking malware are even capable of passing the virus on to other devices and infecting entire servers. In some instances, this can allow hackers to benefit from the huge computing resources of large server farms practically for free.

Most of the time, cryptojacking does not involve the theft or corruption of any personal data. Its main purpose is to gain access to your device’s computing power. Additionally, they are incentivized to stay under the radar. The longer the malware runs undetected on a computer the more revenue hackers receive from mining coins.

Cryptojacking only exists with cryptocurrencies that use the proof-of-work consensus protocol. This subset of coins uses computational power to verify transactions and secure the network, and by doing that, they are rewarded with coins.

According to Interpol, the most notorious cryptocurrency that hackers mine is monero (XMR) because of the high level of anonymity it offers, making transactions difficult to trace. Bitcoin (BTC), the largest proof-of-work cryptocurrency, was once popular among cryptojackers, but the mining industry has grown so competitive with specialized machines and large warehouses that it makes little sense trying to mine it using other people's laptops.

How can you detect cryptojacking?

The goal of cryptojacking is to hide in the background for as long as possible to mine more cryptocurrency. Malware is designed to use just as much power as it needs, and it goes largely unnoticed.

However, there are certain signs that your computer has been infected by cryptojacking malware. Some examples are:

  • High CPU (central processing unit) usage
  • Device is slower and noisier
  • Overheating
  • Battery dies faster
  • Unexpected increases in electricity bills (for server farms)

It does not necessarily mean that your device mines crypto if you experience any of the signs above. Open Task Manager on PC or Activity Monitor on Mac to check out what programs are using your device’s computing power.

The best is to run a system check using antivirus software. Most cybersecurity programs are able to recognize, detect and quarantine cryptojacking malware, including:

  • Avira Antivirus
  • Avast
  • Bitdefender
  • Eset
  • Malwarebytes

For people who operate websites, you can hunt for suspicious lines in the HTML code or turn to programs that scan websites for malicious codes. Some examples for the latter include:

  • Malcure
  • Sucuri

How can you protect yourself against cryptojacking?

In the end, cryptojacking malware is not that much different from any other type of malware. The Cybersecurity and Infrastructure Security Agency (CISA) published a long list of tips to protect your devices with technical details, but here are the basics to avoid getting infected by a cryptojacking cyberattack.

  • Install antivirus and malware protection software and keep them up to date.
  • Use ad blockers in your browser.
  • Avoid websites that are notorious for running cryptojacking scripts.
  • Disable Javascript in your browser.
  • Protect server parks with cybersecurity systems.

Further Reading from CoinDesk’s Mining Week

Even with the surge in popularity, home bitcoin mining only accounts for a small slice of the industry’s overall pie.

CoinDesk reporters traveled across Europe, Asia and North America to capture the diversity of cryptocurrency mining facilities. This piece is part of CoinDesk's Mining Week.

Cities across the U.S. are grappling with what it means to have cryptocurrency mining operations in their communities. Plattsburgh offers a sobering case study.

This article was originally published on Mar 22, 2022 at 12:15 p.m. UTC


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Krisztian  Sandor

Krisztian Sandor is a reporter on the U.S. markets team focusing on stablecoins and institutional investment. He holds BTC and ETH.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.